In a client-server network model, companies or service providers typically offer services and/or applications to client computers and to other services over a computer network. Servers and associated services may include, for example, mail servers, file servers, Customer Relationship Management or CRM services, Enterprise Resource Planning or ERP services, document management services, and the like.
On the one hand, security needs to be guaranteed by restricting the access to these services to trusted users and clients only. On the other hand, trusted users need access to the services in an easy and straightforward manner. Preferably, the services can be reached from anywhere at any time. With the “Bring your own device” (or “BYOD”) policy finding more and more acceptance in companies, services should also be reachable from “anything”, i.e., from any device owned by a trusted user such as for example a tablet computer, a laptop computer, his computer at home or a smartphone.
Various conventional approaches exist to attempt to prevent unauthorized access to such application servers or to the services or applications served by these application servers. For example, placing application servers within a private network is itself a security measure as it isolates the companies network, Local Area Network (or “LAN”) from the Internet and other external public networks. Devices, and thus services, inside the private network are not visible from the public network. The content of the traffic in the private network, and the manner the traffic can traverse the company's network boundaries, can be regulated and monitored by using Network Address Translation (NAT), firewall rules and proxies in the gateway devices separating the WAN from the company's private network. Private networks may further be subdivided physically or virtually by for example Virtual LAN's in order to further separate applications servers from potential unauthorized access by clients within the company's private network.
Network level security may be enforced on a user by user or a client by client basis, such as by configuring a client's firewall to (by default) only have access to an authentication server. When the client is authorized, the client's firewall is opened and all network devices are configured to let pass the client's network traffic to application servers it has been granted access to.
Network level security on a client or user level may also be attempted by a controller generating access rights for users based on identity profiles and health profiles. The controller then configures a protection device thereby providing network access to a set of servers.
The enforcement of network level security in an accepting host may be attempted by configuring the host by a controller. When an initiating host is authorized access to an accepting host, the controller configures the accepting host to accept network connections from the initiating host.
Security within a private network may further be enforced by application level security where user or clients can only access the services on the servers after authentication. In such case a client may find the application server within the network, for example by its IP network address and may find the service running on the application server by its TCP or UDP port number, but the service or application itself may deny the client or user based on authentication credentials. Such authentication may be locally managed by the individual services or centrally by an authentication server. The services then check the authentication credentials against such an authentication server before granting a user and/or client access to a certain service.
Access to a company's private network may by established by a VPN or the Virtual Private Network where a secured networking tunnel is setup between a client device and the private network. The setup of such a tunnel is only granted by authentication with a VPN server. Different authorization schemes exist to ensure that only trusted users and/or clients can join a VPN.
Another solution for providing access to services in a company's private network is by opening up outside access to some services. For example, an email server may allow connections from outside so that users can check their email when they are not in the company. These services are sometimes restricted by only providing access through a specific interface such as for example through the company's website so that the client does not have physical network access to the server running the service but only to a web server providing a subset of the services.
In risk based authentication, access to services is not only granted based on identification of the user and/or client by authentication credentials, but also based on further metrics in order to derive a level of trust appropriate to the risk level. Such metrics are for example: the location of the user, the type of client, the operating system, if all security patches have been installed, the logon history of the user etc. This way a user logging on by VPN may be restricted from services he would not be restricted from when logging on from within the private network. Or a user logging on from within the private network with his own device may be denied some services.